ASSASSIN v1.4 USER GUIDE

Transcription

1 ASSASSIN v1.4 USER GUIDE June OVERVIEW CONCEPT OF OPERATIONS SUBSYSTEMS THE GIBSON SYSTEM REQUIREMENTS GALLEON PYTHON ASSASSIN IMPLANT IMPLANT EXECUTABLE USAGE IMPLANT DLL RUNNING VIA DLLMAIN RUNNING VIA GH RUNNING VIA RUNDLL IMPLANT SERVICE DLL RUNNING VIA RUNDLL RUNNING VIA SERVICEMAIN IMPLANT EXE IMPLANT ICE DLL IMPLANT PERNICIOUS ICE DLL IMPLANT IDENTIFICATION BEACON BEACON TRANSACTION BEACON TIMING PROCESS CHECK TASKING TASK COMMANDS TASK RUN MODE TASK INPUT TASK EXECUTION TASK OUTPUT COMMUNICATION TRANSPORTS PUSH DIRECTORIES UPLOAD QUEUE CHUNKING OPERATIONAL WINDOW...38 CL BY: CL REASON: Section 1.5(c),(e) DECL ON: DRV FRM: COL 6-03

2 7.6.1HIBERNATE SCHEDULED UNINSTALL FAILURE THRESHOLD CONFIGURATION CONFIGURATION SETS CRYPTO FOOTPRINT IMPLANT EXECUTABLE DIRECTORIES ASSASSIN DEPLOYMENT INJECTION LAUNCHER LAUNCHING ASSASSIN EXTRACTING ASSASSIN CONFIGURATION FOOTPRINT SERVICE INSTALLER INSTALLING ASSASSIN CONFIGURATION FOOTPRINT BUILDER USAGE CONFIGURATION AND RECEIPT FILES COMMAND LINE BUILDER COMMANDS BUILD OPTION COMMANDS IMPLANT COMMANDS LAUNCHER COMMANDS EXTRACTOR COMMANDS SUBSHELLS BUILD OUTPUTS PROGRAM LIST TRANSPORT LIST COMPLEX NUMBERS FILE SIZE AND OFFSET MODIFIERS TIME MODIFIERS WIZARD OUTPUT DIRECTORY LAYOUT USER INTERFACE USAGE THE GIBSON MANAGEMENT REGISTRATION COMMANDS TARGETING COMMANDS INFORMATION COMMANDS TARGET MANAGEMENT...87 CL BY: CL REASON: Section 1.5(c),(e) DECL ON: DRV FRM: COL 6-03

3 10.3.1TASK COMMANDS SAFETY COMMANDS INFORMATION COMMANDS TASK SUB-SHELL TASK MANAGEMENT COMMANDS FILE SYSTEM COMMANDS EXECUTION COMMANDS CONFIGURATION COMMANDS MAINTENANCE COMMANDS TRANSPORT SUB-SHELL TASK GENERATOR USAGE INPUTS OUTPUTS QUEUE AND QUEUE PROXY QUEUE USAGE QUEUE PROXY USAGE QUEUE COMMUNICATION BEACON SERVER USAGE SERVICING BEACONS INSTALLATION ON APACHE POST PROCESSOR AND INGESTER PROCESSING ASSASSIN DATA POST PROCESSOR USAGE DEFAULT INGESTER USAGE PUBLISH TYPE TAGS OUTPUT DIRECTORY LAYOUT LOG COLLECTOR AND EXTRACTOR TRANSFERRING LOGS LOG COLLECTOR USAGE LOG EXTRACTOR USAGE AUTOMATION THE GIBSON DESIGN SCRIPTS CONFIGURATION LOGGING ADMINISTRATIVE PROCEDURES CL BY: CL REASON: Section 1.5(c),(e) DECL ON: DRV FRM: COL 6-03

4 17.1INSTALLING THE GIBSON UPDATING THE GIBSON XML FORMATS XML FORMATS ASSASSIN BEACON XML FILE FORMAT ASSASSIN BEACON XML FILE FORMAT ASSASSIN CONFIGURATION / RECEIPT XML FILE FORMAT ASSASSIN CONFIGURATION / RECEIPT XML FILE FORMAT BUILD OUTPUTS IMPLANT CONFIGURATION LAUNCHER CONFIGURATION EXTRACTOR CONFIGURATION SERVICEINSTALLER CONFIGURATION ASSASSIN METADATA XML FORMATS ASSASSIN METADATA XML FORMATS ASSASSIN PUSH FILE XML FORMATS ASSASSIN PUSH FILE XML FORMATS ASSASSIN RESULT XML FILE FORMATS ASSASSIN RESULT XML FILE FORMATS RESULT FILE BASIC RESULT WINDOWS RESULT EXECUTE FILE RESULT GET WALK RESULT GET STATUS RESULT ASSASSIN TASK XML FILE FORMATS ASSASSIN TASK XML FILE FORMATS TASK FILE CLEAR QUEUE DELETE FILE EXECUTE GET STATUS GET WALK FAF LOAD ICE LOAD PERSIST SETTINGS PUT RESTORE DEFAULTS SAFETY SET BEACON FAILURE SET BEACON PARAMS SET BLACKLIST SET CHUNK SIZE SET HIBERNATE SET TRANSPORT SET UNINSTALL DATE CL BY: CL REASON: Section 1.5(c),(e) DECL ON: DRV FRM: COL 6-03

5 SET UNINSTALL TIMER SET WHITELIST UNINSTALL UNPERSIST UPLOAD ALL FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS CHANGE LOG CHANGE LOG CL BY: CL REASON: Section 1.5(c),(e) DECL ON: DRV FRM: COL 6-03

6 6

7 1 Overview This document is intended to provide information relevant to the secure and effective use of the Assassin automated implant, including descriptions of system components, instructions for their operation, and potential vulnerabilities to detection or failure. 7

8 1.1 Concept of Operations Assassin is an automated Implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. Assassin will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment. 8

9 1.2 Subsystems Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post. Implant The Implant provides the core logic and functionality of Assassin on a target computer. An Implant is configured using the Builder and deployed to a target Windows machine via some undefined vector. The Implant subsystem consists of an Implant Executable and, optionally, a Deployment Executable. Builder The Builder configures Implant and Deployment Executables before deployment. The operator may configure the executables from scratch or provide a configuration as a starting point. The Builder provides a custom command line interface for setting the Implant configuration before generating the Implant. A wizard mode is available to walk the operator through the build process. Command and Control The Command and Control (C2) subsystem provides an interface between the operator and the Listening Post. It is used to generate tasks for an implant and send them to an LP, process the results of those tasks received from an LP, and handle logs collected from the LP. The C2 consists of the User Interface, Task Generator, Queue Proxy, Post Processor, Default Ingester, and Log Extractor. Listening Post The Listening Post (LP) subsystem facilitates communication between an Assassin Implant and the C2 subsystem through a web server. The LP consists of the Beacon Server, Queue, and Log Collector. 9

10 1.3 The Gibson The Assassin C2 and LP subsystems are referred to collectively as The Gibson. The Gibson represents the configuration and deployment of the C2 and LP using Galleon interfaces. A The Gibson requires a configuration file. The system will automatically locate the file when they are installed at /etc/the-gibson or relative to the the_gibson Python package at./.gibconfig. 10

11 1.4 System Requirements 11

12 1.4.1 Galleon The Assassin subsystems are Galleon-compliant components and are dependent on Galleon interfaces for operation. Assassin uses the Transport Interface (version 1) to communicate between components and the Publish Interface (version 1) to provide processed results to the user. 12

13 1.4.2 Python The Assassin scripts are written for Python version 3.3. Their compatibility with other versions has not been tested and is not assured. Unless otherwise stated, the scripts may run on any platform and operating system that runs a Python interpreter. The Assassin scripts are dependent on the provided Python packages, named assassin and 'the_gibson'. The packages must be placed within one of Python s path resolution directories, which includes the directory of the script executed. 13

14 2 Assassin Implant The Assassin Implant provides the core logic and functionality of the Assassin toolset on the target, including communications and task execution. The configuration of the Implant determines the majority of its behavior, including when it operates, when it beacons, how it communicates, and where it operates on the target. Assassin includes five types of Implant Executable: DLL, EXE, Service DLL, ICE DLL, Pernicious Ice DLL. 14

15 2.1 Implant Executable Usage Implant Executables may be run directly or through one of the Deployment Executables. However, when run directly, Implant Executables do not provide their own persistence. 15

16 2.1.1 Implant DLL The Implant DLL is a Windows Dynamically Loaded Library. The Implant DLL may be run through one of the Deployment Executables or directly, via DllMain or a provided RunDll32 entry point. 16

17 3 Running via DllMain The Implant may be started by loading the Implant DLL directly. The DllMain function defined by the DLL will start the implant within the host process that loads it. 17

18 4 Running via GH1 Grasshopper is an Installation utility that provides soft persistence on Microsoft Windows targets. The Implant DLL implements the Grasshopper GH1 interface, which allows it to interact directly with Grasshopper modules that also implement the interface. See the Grasshopper Users' Guide for more information about installing payloads using Grasshopper. 18

19 5 Running via RunDLL32 A RunDLL32 entry point is provided by the Implant DLL to run the Implant directly. When executed through RunDLL32, the Implant DLL is loaded and executed within a RunDLL32 process, which will be present in the process list. Usage For 32-bit target: rundll32.exe Assassin.dll,_EntryPoint@0 For 64-bit target: rundll32.exe Assassin.dll,EntryPoint 19

20 5.1.1 Implant Service DLL The Implant Service DLL is a Windows Dynamically Loaded Library that includes a ServiceMain entry point. The Implant Service DLL may be run through one of the Deployment Executables or directly via the ServiceMain or a provided RunDll32 entry point. 20

21 6 Running via RunDLL32 A RunDLL32 entry point is provided by the Implant Service DLL to run the Implant directly. When executed through RunDLL32, the Implant Service DLL is loaded and executed within a RunDLL32 process, which will be present in the process list. Usage For 32-bit target: rundll32.exe Assassin.dll,_EntryPoint@0 For 64-bit target: rundll32.exe Assassin.dll,EntryPoint 21

22 7 Running via ServiceMain The Implant Service DLL may be installed as a valid service executable on a target by hand or through a third-party tool. This process is left as an exercise to the reader. 22

23 7.1.1 Implant EXE The Implant EXE is a plain Windows Executable that behaves identically to the DLLs as an implant but provides its own process. Unfortunately, this means that the Implant EXE loses the stealth it gets from residing in trusted Windows processes. To start the Implant, simply start the Implant EXE file as you would any other EXE. 23

24 7.1.2 Implant ICE DLL The Implant ICE DLL is a Windows DLL file that meets the ICE V3 Forget specification. This means that this DLL can be loaded by any tool that supports ICE V3 and the Forget feature set. 24

25 7.1.3 Implant Pernicious Ice DLL The Implant Pernicious Ice DLL is a Windows DLL file that meets the NSA Pernicious Ice specification. This means that this DLL can be loaded by the Pernicious Ice tool. 25

26 7.2 Implant Identification An Assassin ID is a case-sensitive, eight-digit alphanumeric string that uniquely identifies an Assassin Implant. The ID contains two four-digit parts: the parent and the child. The parent identifies groups of implants and is always set by the operator at build time. The child identifies an Implant within the parent group. If the child is not set at build time, it is randomly generated by the Implant on first execution. Only one Assassin Implant is permitted to run on a target per parent ID. 26

27 7.3 Beacon Assassin communications are organized around periodic events called beacons. During a beacon event, the Implant will connect to the listening post to send vital information about the Implant state, request tasking from the operator, and respond with results. The beacon transaction, the timing of events, and optional conditional checks are described below. 27

28 7.3.1 Beacon Transaction The majority of Implant-Listening Post communications occur during beacon events. The beacon transaction is composed of six stages: 1. Decide to Beacon The Implant decides if it should perform a beacon transaction. Two conditions must be met before the Implant will attempt to beacon. - Beacon Interval seconds have elapsed since the last beacon transaction. - Target machine passes the Process Check, which is described below. 2. Beacon The Implant sends a beacon to the Listening Post, initiating the transaction. The beacon includes information about the state of the Implant, including: - ID of the Implant - Current Time on the target machine - Time when the Implant last started execution - Time when the Implant is scheduled to uninstall, if scheduled - Index of Transport used to conduct current beacon 3. Download Tasking The Implant downloads a Tasking file, if any are available, from the Listening Post. The file is saved in the input directory with a random name between five and twenty-five alphanumeric characters. 4. Execute Tasking The Implant executes any tasking files it finds in the input directory. Results are generated, prepared for upload, and saved in the upload queue. The results of task execution do not affect the success/failure of the beacon. 5. Upload Results The Implant uploads files to the Listening Post from the upload queue. The Implant will continue to upload files until the upload limit is met or the upload queue is exhausted. 6. Update Beacon Interval The Implant calculates the duration of the next beacon interval based on the success or failure of the current beacon s communications. 28

29 7.3.2 Beacon Timing The timing of beacon events is defined by the five beacon configuration fields. The interval between events is dynamic and calculated at the end of each transaction using the following algorithm: if (comms_succeeded): interval = default_interval else: interval *= backoff_factor interval += RandomInteger(-jitter, jitter) if (interval > max_interval): interval = max_interval Default Interval The default_interval specifies an integral number of seconds between beacons. The Implant will not beacon more frequently than every default_interval seconds. While the beacon period is variable, this is the interval the Implant will maintain while successfully communicating with the listening post. Max Interval The max_interval defines an integral number of seconds as an upper bound for beacon intervals. The Implant will attempt to beacon at least every max_interval seconds. Jitter The jitter specifies an integral number of seconds representing the maximum amount of variation in beacon timing. Whenever the time for the next beacon is calculated, the jitter is applied to introduce randomness to the timing of beacons. Backoff Factor The backoff_factor modifies the beacon interval after a failed attempt to beacon, multiplying the current interval by the factor. The factor is specified by a floating point value greater than or equal to 1.0. Initial Wait The initial_wait defines an integral number of seconds that the Implant must wait after startup before attempting its first beacon. 29

30 7.3.3 Process Check The Assassin Implant may be configured to check the target s running process list before performing a beacon. The contents of the process list are compared against two sets of processes defined at build time, the blacklist and the whitelist. These lists are specified by the image names of the processes in question. The blacklist is a set of processes that prevent the performance of a beacon transaction. If any of the processes in the blacklist is running, the beacon is aborted. The whitelist is a set of processes that enable the performance of a beacon transaction. If none of the processes in the whitelist is running, the beacon is aborted. If a beacon is aborted due to a failed process check, it is considered a failed beacon for the purposes of the failure threshold; see section on Failure Threshold. 30

31 7.4 Tasking The Assassin Implant implements an asynchronous command and control design based on the exchange of tasks and results between the Implant and the Listening Post. Tasks are created using either the User Interface or the stand-alone Task Generator; see section 11 on the Task Generator. Results are assembled and processed using the Post Processor; see section 14 on the Post Processor. 31

32 7.4.1 Task Commands An Assassin task consists of one or more commands. The commands are run sequentially until all have been executed or until an error is detected. Assassin tasks should be used to encapsulate the execution of several interdependent commands. For example, a task may include commands to put an executable on the target, run the executable, get the output of the executable, and securely delete the executable. 32

33 7.4.2 Task Run Mode Tasks may be set to run in a variety of modes that determine when the task is run and when its results are returned to the LP. A task run mode may be set to 'run on receipt' or 'run on startup' or both. If a task is set to run on receipt, it will be executed as soon as it is processed by the implant. If a task is set to run on startup, it is copied to the implant's startup directory and executed every time the implant starts. A task run mode may additionally be set to push results. If a task is set to push results, the Implant will upload the result file immediately to the LP. The pushed result bypasses the upload queue and does not influence the upload limits set by the chunk size. 33

34 7.4.3 Task Input The Assassin Implant monitors its input directory for new task files by polling every five seconds. The Implant will process the first task it finds and remove it from the input directory. Task files are typically placed in the directory during communication with the Listening Post. However, task files placed in the input directory via a non-assassin mechanism will be processed like any other task. Startup tasks are stored in the Assassin startup directory. All task files in this directory are processed exactly once during Implant start. Task files are typically placed in the directory by the Implant whenever it identifies a task as a startup task. However, task files placed in the startup directory via a non-assassin mechanism will be processed like any other startup task. 34

35 7.4.4 Task Execution The Assassin Implant will process one task file at a time and blocks during the execution of tasks. Tasks are not executed during hibernation; startup tasks run after the hibernation period but before the initial beacon delay. 35

36 7.4.5 Task Output The Assassin Implant creates an encrypted result file in the output directory for each processed task file. If the task was configured to return its results immediately, the Implant will upload this file to the listening post. Otherwise, the file is placed in the upload queue for eventual transmission to the LP. 36

37 7.5 Communication The Assassin Implant implements communications mechanisms to fetch and respond to tasking and to support third-party tools. 37

38 7.5.1 Transports Assassin may be configured to communicate using one or more transports. A transport configuration consists of a listening post, a try value, a communication protocol, and protocol-specific options. The Implant is configured with an ordered list of transports. The Implant will attempt to beacon using a transport the configured number of tries before switching to the next transport in the list, or the first if the list has been exhausted. HTTPS Assassin supports communication over the Hypertext Transfer Protocol Secure (HTTPS). The Implant communicates with the listening post via GET and POST requests using the WinInet API. User agent strings identify the Implant communications as originating from a Mozilla Firefox browser. Port Customization The HTTPS transport allows the operator to select the TCP port on the listening post to which the Implant should attempt to connect. HTTPS traffic is typically directed at a web server s port 443. URL Randomization The HTTPS transport randomizes the URL used during Implant communications, including both the path and filename components. The path of the URL is randomized by selecting one of a set of path components provided in the transport configuration. If no path components are provided, a path is randomly generated from between three and eight alphanumeric characters. The filename of the URL is an encoded string of at least sixteen alphanumeric characters that is composed of the Implant ID and a nonce used to obfuscate the ID. Proxy Support The HTTPS transport supports the optional use of proxy credentials for communication. A username and password, when provided to the transport configuration, will be used to validate with the network proxy during communications using the transport. 38

39 7.5.2 Push Directories Assassin provides push directories, intended to support third-party tools. Two directories created by the Assassin implant, the output and push folders, will push files from the target machine to the listening post. Files detected in these directories are immediately packaged with metadata and encrypted for transmission. Metadata collected for pushed files includes the file s name and size, the time it was detected, and the ID of the Implant that collected it. Files placed in the output directory are placed in the upload queue for later transmission. Files placed in the push directory are uploaded immediately; if the immediate upload fails, the file is placed in the upload queue with priority status. 39

40 7.5.3 Upload Queue The Assassin Implant maintains a queue of files that are awaiting upload to the listening post. The Implant uploads files from the queue during the beacon transaction in first-in first-out order. Files in the upload queue may be given priority status, moving them to the front of the queue. The upload queue is stored in the Implant s staging directory. Files are given a random name of between five and twenty-five alphanumeric characters. Files with priority status are prepended with the tilde character, ~. The Assassin implant will not store more than 16,384 files in the staging directory to prevent overflowing the limitations of the file system. 40

41 7.5.4 Chunking Assassin s chunking feature allows operators to set limits on the amount of data that is uploaded from the target to the listening post during any beacon transaction. If the Implant is configured with a non-zero chunk size, it will send files from the upload queue until this threshold is met or the queue is empty. The Implant will always send the first file in the queue, regardless of size. Subsequent files are checked for size and are only sent if they will not push the beacon transaction past its upload limit. Any task results or pushed files (from the output directory) that are larger than the current chunk size parameter are broken up to conform to the current upload limits. These chunks are later reassembled by the Post Processor. Assassin sets a hard limit on the size of files that it uploads at 1 GiB. Any files larger than the limit will be chunked no larger than 1 GiB. This size limit only affects the way files are handled on target, not the upload limit set by the chunk size configuration. If the operator modifies the chunk size configuration, chunked files in the upload queue are not reprocessed. 41

42 7.6 Operational Window The Operational Window refers to the period of time during which the Assassin Implant is active on a target machine. This window is defined by the Implant s hibernate, scheduled uninstall, and failure threshold parameters. 42

43 7.6.1 Hibernate The Assassin Implant may be configured to hibernate for a period of time before going active on a target. During this hibernation period, the Implant is dormant, neither beaconing nor processing tasks. The hibernation period is defined in the configuration as seconds after the Implant is first run on the target. 43

44 7.6.2 Scheduled Uninstall The Assassin Implant may be scheduled to autonomously uninstall on a certain date and/or after a certain period of time. The conditions for the uninstallation are provided in the configuration and checked periodically by the Implant. The uninstall date specifies a date and time at which the Implant should uninstall. If the target clock is equal to or later than the configured date, the Implant uninstalls. The uninstall timer specifies a period of time after which the Implant should uninstall. This time period is defined as a number of seconds after the Implant is first run on the target. 44

45 7.6.3 Failure Threshold The Assassin Implant may be configured to end the operation if it passes a defined failure threshold. If the Implant fails during a beacon consecutively more than a configured number of times, it will autonomously uninstall from the target. 45

46 7.7 Configuration The behavior of the Assassin Implant is widely configurable by the modification of several parameters. Configured Implant Executables are generated using the Builder, the usage for which is documented in section 9. The Implant configuration is patched into the Implant binary at build time. 46

47 7.7.1 Configuration Sets The Implant identifies and manipulates three full sets of configurations: running, persistent, and factory. Details about these configuration sets are herein described. Running The running configuration is the settings the Implant is currently using to operate. The running configuration is stored solely in memory and is lost whenever the Implant restarts. During operation, all modifications to the Implant configuration are made to the running configuration. If changes are not explicitly persisted, they will be lost on restart. Persistent The persistent configuration is the settings that the Assassin Implant will revert to upon startup, regardless of the running configuration from the previous session. If the Implant Executable is able to access its original binary, the persistent configuration is stored as a patch in the binary. If not, the persistent configuration is saved to a file in the Implant s startup directory with a random filename and extension. Factory The factory configuration is the settings that the Implant had when it was built and originally deployed. The operator may easily revert to this configuration at any time. The persistent configuration is stored as a patch in the Implant Executable binary and is never modified. 47

48 7.8 Crypto The Assassin toolset uses a modified RC4 stream cipher to provide cryptographic services. Any data stored on the target file system or sent over the wire is encrypted prior to potential exposure. The Implant carries a sixteen byte key that is generated and patched into the binaryby the Builder. A sixteen byte session key is generated by combining a four byte nonce with the key and calculating the MD5 hash. A new session key is calculated per crypto transaction. The four byte nonce is prepended to the crypt text before being stored or transmitted. Assassin modifies the RC4 scheme by flushing the crypto state machine with 1024 zeroes during initialization. 48

49 7.9 Footprint This section documents the footprint of the Implant Executable and its operation on the target environment. 49

50 7.9.1 Implant Executable The Implant Executable is copied to the target file system before it is run. The name and location of the executable is determined by the operator, either through directly placing the executable or by configuring the Deployment Executable that places it. 50

51 7.9.2 Directories The Implant Executable will create five directories on the target file system that is uses to manage communications and tasking. The Implant will ignore subdirectories, allowing the directories to be nested with other directories, including other Assassin directories, without affecting operation. Input Assassin tasking files are downloaded to and stored in the input directory until they can be processed by the Implant. Tasking files are given a random filename between five and twenty-five alphanumeric characters. Startup Assassin tasking files designated for startup execution are moved to the startup directory and processed once whenever the Implant starts. They retain the filename they had/were given in the input directory. The directory may also contain a configuration file of the implant s persisted settings with a random filename and extension. Output Files placed in the output directory are packaged and placed in the upload queue for transmission during the next beacon. Third-party tools may use this feature to forward files to the listening post. Push Files placed in the push directory are packaged and uploaded immediately, ignoring the beacon interval and chunk size. If the Implant is unable to upload the file, it is placed in the upload queue with priority status. Third-party tools may use this feature to forward files to the listening post. Staging The Implant uses the staging directory to manage its upload queue. Files created in this directory are given a random filename of eight alphanumeric characters and a numeric counter. This directory is reserved for Implant use. The behavior of files placed in this directory is undefined. 51

52 8 Assassin Deployment The Deployment Executables provide services to support the deployment of the Implant Executables, such as process injection and persistence. One of the Deployment Executables is selected based on the concept of operations and executed on the target computer. The Assassin toolset includes two types of Deployment Executables: Injection Launchers and Service Installers. 52

53 8.1 Injection Launcher The Injection Launchers provide persistence and process injection for the Assassin Implant. It carries an Implant DLL embedded as a resource, which it is responsible for deploying by injecting into an existing SYSTEM process. Implants are typically injected into the netsvcs svchost. The Launcher is only able to inject the Implant DLL into SYSTEM processes of the same bitness as itself. The Injection Extractor provides deployment flexibility by allowing operators to deploy Assassin without prior knowledge of the target environment. The Extractor carries both the 32- and 64-bit Launchers as resources and deploys the appropriate version based on the operating system. 53

54 8.1.1 Launching Assassin The Injection Launcher follows the following steps to achieve soft persistence and process injection for the Implant DLL: 1) Register as Windows Service The Launcher persists itself as a Windows service that starts on boot. If it is not currently persisted, the Launcher will register itself through direct registry modification. The Launcher is setup as a service with a user-provided cover name and description. 2) Inject Implant If the Launcher has SYSTEM privileges, it will try to inject the Implant DLL into one of the Windows SYSTEM processes. First, the Implant DLL is dropped to the target disk with a user-defined name and location. The Launcher then walks through the target processes until it finds a suitable host process. Once an appropriate SYSTEM process is identified, the Implant DLL is injected using a Windows hook. 3) Cleanup and Exit The Launcher passes information about itself to the Implant DLL and terminates. 54

55 8.1.2 Extracting Assassin The Injection Extractor follows the following steps to deploy the Injection Launcher: 1) Detect OS Bitness The Extractor determines the bitness of the target's operating system 2) Execute Launcher The Extractor drops the Launcher to a user-defined location on the target file system and executes it directly. 3) Cleanup and Exit The Extractor is no longer needed and self deletes. 55

56 8.1.3 Configuration The behavior of the Assassin Injection Launchers and Extractors are customizable by the modification of its configuration. Configured Deployment Executables are generated using the Builder, the usage for which is documented in section 9. The configuration is patched into the Injection binaries at build time. 56

57 8.1.4 Footprint This section documents the footprint of the Injection executables and their operation on the target environment. Launcher Executable The Launcher executable is copied to the target file system before it is run. The name and location of the executable is determined by the operator, either through directly placing the executable or by configuring the Extractor that places it. Extractor Executable The Extractor executable is copied to the target file system before it is run. The name and location of the executable is determined by the operator who places it. The Extractor self deletes shortly after being run. Service Registry The Launcher adds a key to the registry to set itself up as a service. The key is added at HKLM\SYSTEM\CurrentControlSet\Services. The name and subkeys of this key are selected by the operator at build time. 57

58 8.2 Service Installer The Service Installers and Extractor provide persistence for the Assassin Implant. The Installer carries an Implant Service DLL embedded as a resource, which it is responsible for deploying. The Extractor carries both the 32- and 64- bit Implant Service DLLs and installs the appropriate version based on the operating system. 58

59 8.2.1 Installing Assassin The Service Installers and Extractor follow the following steps to achieve soft persistence for the Implant Service DLL: 1) Deploy Implant Service DLL The Implant Service DLL is dropped to the target disk with a user-defined name and location. If running the Extractor, it will select the bit-appropriate DLL. 2) Install Service DLL The Installer persists the Implant by registering the service DLL as a service through direct registry modification. The Implant Service DLL is setup as a member of the netsvcs svchost with a user-provided cover name and description. 3) Cleanup and Exit The Installer or Extractor is no longer needed and self deletes. 59

60 8.2.2 Configuration The behavior of the Assassin Service Installers and Extractor are customizable by the modification of their configuration. Configured Deployment Executables are generated using the Builder, the usage for which is documented in section 9. The installation configuration is patched into the Installer binaries at build time. 60

61 8.2.3 Footprint This section documents the footprint of the Service Installation executables and their operation on the target environment. Installation Executable The Installation executable is copied to the target file system before it is run. The name and location of the executable is determined by the operator who places it. The executable self deletes shortly after being run. Service Registry The Installer adds a key to the registry to set the Implant Service DLL up as a service. The key is added at HKLM\SYSTEM\CurrentControlSet\Services. The name and subkeys of this key are selected by the operator at build time. 61

62 9 Builder The Builder configures Implant Executables before deployment. The operator may configure the executables from scratch or provide a configuration/receipt file as a starting point. The Builder provides a custom command line interface for setting the Implant and Deployment Executable configurations before generating the executables. A wizard mode is available to walk the operator through the build process. The Builder outputs configured versions of all Implant Executables and a receipt file recording the parameters used and the build time. The Builder requires the Assassin Python module, named assassin. The module must be located in the Python search path, which includes the directory with the implant_builder.py script. The Builder also needs access to a directory of blank Implant Executables. 62

63 9.1 Usage implant_builder.py <options> Options: -i INPUT, --in=input Specify the directory containing blank Implant Executables. Required. -o OUTPUT, --out=output Specify the directory to output patched executables and receipt. Required. -c CONFIG, --config=config Specify an xml-based Assassin configuration file. -g, --generate -h, --help Generate the executables from the provided configuration immediately; do not enter builder command line. Show the help message and exit. 63

64 9.2 Configuration and Receipt Files The Builder uses xml-based files to specify or record the configuration of the Implant executables. The format of these files is nearly identical such that they may be used interchangeably. Configuration files may be passed to the Builder on the command line and used as a starting point for the build process. The Builder will accept partial configuration files. During Implant executable generation, the Builder creates a receipt file in the target folder of the output directory. The receipt records the configuration of the Implant and the time and date of the build. The Builder can use the receipt as a configuration file input to rebuild an Implant. 64

65 9.3 Command Line The Builder provides a command line interface to view and set the Implant Executable configuration. Once the operator has finished tailoring the configuration of the Implant to their needs, the command line is used to generate the executables. 65

66 9.3.1 Builder Commands The builder commands are used to control the builder. There are commands to view or export configurations, start the wizard, or generate configured Implant Executables. p [config= all ] Print the current state of the configuration. config x <xml_file> Portion of configuration to print all print all of the configuration implant print the Implant DLL configuration launcher print the launcher configuration extractor print the Extractor configuration Export the current configuration to an xml file. xml_file w Filename for the exported xml configuration file Invoke the builder wizard; see section 9.6. Current configuration settings will be presented as defaults in the wizard. g Generate the configuration and build the Implant executables. The Implant executables and build receipt will be placed in the output directory under a folder named Assassin-<ImplantID>. c Cancel the build process. Any unsaved progress will be lost. 66

67 9.3.2 Build Option Commands The build option commands are used to specify the types of Assassin Executables the Builder should generate. build_outputs [options] Set the build outputs for the current build. If no parameters are provided, the command will enter a subshell; see section on the Build Outputs subshell. options One or more of the following build types 'all' - All available Assassin Executables 'run-dll' - Implant DLLs, 32- and 64-bit 'service-dll' - Implant Service DLLs, 32- and 64-bit 'executable' - Implant EXEs, 32- and 64-bit 'injection' - Injection Launchers, 32- and 64-bit, and Extractor 'service' - Service Installers, 32- and 64-bit, and Extractor ice_dll - ICE V3 DLLs, 32- and 64-bit pernicious_ice_dll - ICE V3 DLLs, 32- and 64-bit 67

68 9.3.3 Implant Commands The Implant commands are used to modify the configuration of the Assassin Implant. The Implant configuration determines the behavior of the Implant once it is running on the target machine. beacon [initial=0][default_int=0][max_int=0][factor=0.0][jitter=0] Set one or more of the beacon parameters. initial Initial wait after Implant startup before beacon(default = 0) default_int Default interval between beacons(default = 0) max_int Maximum interval between beacons(default = 0) factor Backoff factor to modify beacon interval(default = 0) If beacon fails, multiply beacon interval by factor. If beacon succeeds, restore beacon interval to default. jitter Range to vary the timing of beacons(default = 0) blacklist [programs=[]][files=[]] Set the target blacklist. If no parameters are provided, the command will enter a subshell; see section on Program List subshells. programs files chunk_size <size> Set of executable names to include in the blacklist, specified as a Python list or tuple Set of blacklist files, specified as a Python list or tuple Blacklist files are whitespace-delimited lists of executable names to include in a target blacklist. Set chunk size to restrict network traffic per beacon. The Implant will chunk files to size bytes and attempt to limit uploads to size bytes. size crypto_key Maximum Implant upload size per beacon Setting the size to 0 will disable upload chunking. Generate a new cryptographic key for secure storage and communication. hibernate <seconds> Set the hibernate time in seconds after first execution. The Implant will lie dormant until the hibernate period has elapsed. seconds id <parent> [child=none] Set the Implant ID. parent Number of seconds to hibernate after first execution Parent ID for implant, specified by 4 case-sensitive alphanumeric characters 68

69 child Child ID for implant, optionally specified by 4 case-sensitive alpha-numeric characters If the child ID is not set at build, it will be generated at first execution on target. max_fails <count> Set the maximum number of sequential beacon failures before uninstalling. count path_in <path> Number of failures before uninstalling Set the path of the implant s input directory path path_out <path> Windows path specifying location of the directory Note: Assassin will create multiple directory levels to match path but will only remove path on uninstall. Set the path of the implant s output directory path path_push <path> Windows path specifying location of the directory Note: Assassin will create multiple directory levels to match path but will only remove path on uninstall. Set the path of the implant s push directory path path_staging <path> Windows path specifying location of the directory Note: Assassin will create multiple directory levels to match path but will only remove path on uninstall. Set the path of the implant s staging directory path path_startup <path> Windows path specifying location of the directory Note: Assassin will create multiple directory levels to match path but will only remove path on uninstall. Set the path of the implant s startup directory path transports [xml_file=none] Windows path specifying location of the directory Note: Assassin will create multiple directory levels to match path but will only remove path on uninstall. Set the communication transport configuration. If no parameters are provided, the command will enter a subshell; see section on Transport List subshells. 69

70 xml_file XML file containing an Assassin transport list configuration uninstall_date <date> Set the uninstall date for the Implant. date uninstall_timer <seconds> Date-Time or Date, specified in ISO 8601 format Date-Time: yyyy-mm-ddthh:mm:ss Date: yyyy-mm-dd Set the uninstall timer as seconds from first execution. seconds whitelist [programs=[]] [files=[]] Number of seconds after first execution to uninstall Set the target whitelist. If no parameters are provided, the command will enter a subshell; see section 9.4.2on Program List subshells. programs files Set of executable names to include in the whitelist, specified as a list or tuple Set of whitelist files, specified as a list or tuple Whitelist files are whitespace-delimited lists of executable names to include in a target whitelist. 70

71 9.3.4 Launcher Commands The Launcher commands are used to modify the configuration of the Assassin Launcher. The Launcher configuration determines behavior regarding the persistence and injection of the Implant. dll_path <path> [bits= all ] Set the path where the launcher will place the Implant DLL path bits persistence <bool> [bits= all ] Windows path specifying the location of the Implant DLL Bitness of launcher to configure all -configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher Set whether or not a launcher will install its persistence method. bool bits Boolean specifying if persistence will be installed T install the persistence mechanism F do not install the persistence mechanism Bitness of launcher to configure all - configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher reg_description <string> [bits= all ] Set the cover description for the launcher in the registry. string bits reg_key_path <path> [bits= all ] String specifying registry description of the launcher Bitness of launcher to configure all - configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher Set the registry key name and path for the Launcher. path bits reg_name <string> [bits= all ] Windows registry path specifying the key used to persist the Launcher. If path is the key name, SYSTEM\CurrentControlSet\Services\ is prepended. The launcher key must be in the Services key. Bitness of launcher to configure all - configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher 71

72 Set the cover display name for the launcher in the registry. string bits start_now <bool> [bits= all ] String specifying registry display name of the launcher Bitness of launcher to configure all - configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher Set whether or not the launcher attempts to start immediately or waits for reboot. bool bits Boolean specifying if launcher will start immediately T attempt to start immediately F wait for reboot to start Bitness of launcher to configure all - configure all launchers 32 - configure the 32-bit launcher 64 - configure the 64-bit launcher 72

73 9.3.5 Extractor Commands The Extractor commands are used to modify the configuration of the Assassin Extractor. The Extractor configuration determines how the Assassin Launcher will be deployed to the target machine. path_32 <path> Set the 32-bit launcher extraction path. path path_64 <path> Windows path specifying the location of the 32-bit launcher Set the 64-bit launcher extraction path. path Windows path specifying the location of the 64-bit launcher 73

74 9.4 Subshells The Builder uses subshells to provide an interactive interface to modify various configuration fields, including whitelist, blacklist, and transport list. 74

75 9.4.1 Build Outputs The Build Outputs subshell is used to define what Implant and Deployment executables the Builder should generate. The Build Outputs subshell is accessed through the Builder wizard or by not providing parameters to the build_outputs command in the Builder. Interface The Build Outputs subshell will repeatedly prompt the user for output types until the build outputs are generated. The subshell accepts two types of input: commands and build types. After each input, the subshell will update and display the state of the outputs list. Commands The following commands are used to modify the build outputs: d <index> Delete a process image name from the program list. index g Index of the target program name in the current list Generate the program list and build the patch used in the configuration field for Implant executables or tasks. Build Types The subshell accepts the following build types: all run-dll service-dll executable injection service ice_dll pernicious_ice_dll Build all available Implant and Deployment Executables Build the Implant DLLs, 32- and 64- bit Build the Implant Service DLLs, 32- and 64- bit Build the Implant EXEs, 32- and 64- bit Build the Injection Launchers, 32- and 64-bit, and Extractor Build the Service Installers, 32- and 64- bit, and Extractor ICE V3 DLLs, 32- and 64-bit DLL matching the NSA Pernicious Ice specification 75

76 9.4.2 Program List The Program List subshell is used to generate a list of program image names. These are used to update the whitelist or blacklist in the Implant configuration. The Program List subshell is accessed through the Builder wizard or by not providing parameters to a command to update the whitelist or blacklist in the Builder or Tasker. Interface The Program List subshell will repeatedly prompt the operator for input until the program list is generated. The subshell accepts two types of input: commands and entries to the program list. After each input, the subshell will update and display the state of the list, including contents and capacity. For a list of available commands, the operator may enter help, h, or? on the command line. Commands The following commands are used to modify the current program list: f <filename> Provide a file of program names to add to the current program list. filename d <index> Program list files are whitespace-delimited lists of process image names to include in a program list. Delete a process image name from the program list. index g Index of the target program name in the current list Generate the program list and build the patch used in the configuration field for Implant executables or tasks. c Cancel the list creation process. Any unsaved progress will be lost. 76

77 9.4.3 Transport List The Transport List subshell is used to generate or update a transport configuration for an Assassin Implant. The subshell is accessed through the Builder wizard or by not providing parameters to a command to update the transport list in the Builder or Tasker. Interface The Transport List subshell will repeatedly prompt the operator for input until the transport list is generated. The subshell accepts an array of commands used to view and modify the working current transport list. Commands The following commands are used to view or modify the current transport list: p Print the current transport list. a Add a transport to the list. The subshell will prompt the operator for each of the parameters required to create a new transport and add it to the end of the list. i <index> Insert a transport into the list. The subshell will prompt the operator for each of the parameters required to create a new transport and insert it into the list at the specified index. index d <index> Delete a transport from the list. index m <index><new_index> Zero-based index into the transport list identifying the location of the new transport Zero-based index into the transport list identifying the target transport Move a transport from one position within the transport list to another. index new_index f <filename> Zero-based index into the transport list identifying the target transport Zero-based index into the transport list identifying the new location of the transport within the list Provide a file of containing the xml-based specification of a transport list to add to the transport list. 77